add RedirectionGuard=no to windows-installer.iss#9863
add RedirectionGuard=no to windows-installer.iss#9863
RedirectionGuard=no to windows-installer.iss#9863Conversation
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
There was a problem hiding this comment.
Overview
This PR disables Inno Setup RedirectionGuard for the Windows installer.
Concerns
- The stated fix depends on RedirectionGuard affecting Warp and its child processes, but Inno Setup documents this directive as applying only to Setup/Uninstall and not being inherited by child processes or the installed application. Disabling it therefore weakens installer/uninstaller protection without addressing the runtime symlink traversal issue described in the PR.
Verdict
Found: 0 critical, 1 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
|
I'm starting a first review of this pull request. You can view the conversation on Warp. I completed the review and no human review was requested for this pull request. Comment Powered by Oz |
There was a problem hiding this comment.
Overview
This PR disables Inno Setup's RedirectionGuard mitigation for the Windows setup/uninstall process.
Concerns
- Disabling RedirectionGuard removes a Windows junction/symlink traversal mitigation from an installer that can run elevated, while the documented directive scope is the setup/uninstall process rather than the installed Warp app runtime.
Security
- The installer allows administrative install mode, so disabling RedirectionGuard can re-open privileged path-redirection attack surface during install or uninstall.
Verdict
Found: 0 critical, 1 important, 0 suggestions
Request changes
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
| created by non-admin users will fail with error 448." | ||
| ); | ||
| } | ||
| } |
There was a problem hiding this comment.
This is not the fix. This just detects this error case and logs a warning. This will be helpful if this regresses.
| SetupMutex={#AppMutexName}Setup | ||
| ; Version 1809 / Build 18362 is required for ConPTY. See https://github.com/microsoft/vscode-docs/blob/9d736b662fdde3fed17d8bc2ed70bfea4ae20636/docs/supporting/troubleshoot-terminal-launch.md?plain=1#L66/ | ||
| MinVersion=10.0.18362 | ||
| ; Tell Windows Explorer to reload the environment so that path changes take effect. | ||
| ChangesEnvironment=true | ||
| RedirectionGuard=no |
There was a problem hiding this comment.
Here is the actual fix.
1 participant
Description
This fixes #9044
As a bonus, we are also getting auto-update failures for our community package in scoop extras and this should fix that #9796
See: https://jrsoftware.org/ishelp/index.php?topic=setup_redirectionguard
Symlink traversal was being blocked by Warp and all child processes. This caused all kinds of failures:
~/.gitconfigis a symlinkTesting
You can test this by building the installer, running the installer, and installing it with the "Run Warp" option checked at the end of the installer.
Changelog Entries for Stable
CHANGELOG-BUG-FIX: [Windows] Symlink traversal fixed.